NetScaler. Web Service Availability and Security

Transcription

1 NetScaler Web Service Availability and Security

2 NetScaler Application Delivery Controller What is NetScaler? NetScaler is an enterprise grade application delivery controller, or ADC. So, what does that mean? NetScaler is the appliance that sits between external users and your back-end resources. The list of features and use cases for the NetScaler is so long, it would be easier to explain what it doesn t do. But where s the fun in that? Let s start off with the basics. The primary features of the appliance are load balancing, AAA traffic management, traffic optimization, SSL offload and security protection against application attacks

3 NetScaler Flexible Deployment Options

4 NetScaler Licensing Offerings Standard Edition Enterprise Edition Platinum Edition Comprehensive L4-7 load balancing and optimizes expensive server and network resources to reduce cost Web application delivery solution providing advanced traffic management and powerful application acceleration Web application delivery solution designed to deliver mission-critical applications with web application firewall security, fastest performance, and lowest cost

5 Physical Price-Performance Virtual Run Anywhere Platform Multi-Service Multi-Tenant

6 Platform Lineup: NetScaler Performance (HTTP)/ Gbps MPX 25100T-25160T 100Gbps 160Gbps No HW SSL MPX/SDX Gbps 150Gbps 80 Instances MPX (40G) 160Gbps 180Gbps MPX/SDX Gbps 42Gbps 20 Instances MPX (40G) 60Gbps 80Gbps MPX/SDX Gbps 120Gbps 80 Instances 5 1 MPX FIPS 3Gbps 15Gbps VPX 10Mbps 3Gbps MPX Mbps-1 Gbps MPX/SDX Gbps 15Gbps 5 Instances Single-tenant Multi-tenant Capable FIPS Platforms Maximum Tenants per Platform

7 Authentication Authorization Auditing AAA

8 Features Authentication ᵒ All Major Authentication Servers Active Directory, LDAP, ADFS, IDP RADIUS, OTP ( ID, SMS,.. ), TACACS+, NTLM, Smart Card Kerberos KCD ᵒ SAML 2 SSO support ᵒ Certificate Based Authentication ᵒ Multiple Authentication Servers Two Factor & Dual Passwords Cascading ᵒ Flexible Policy Based Rules Authorization ᵒ User/group level at LB/CS vserver

9 Features Auditing ᵒ Full Audit Trail of TM End-Users by TCP, UDP, HTTP ᵒ SYSLOG & High Performance TCP Logging supported ᵒ Full Audit Trail of System Administrators All commands logged Roles Based Administration ᵒ All System Events Logged ᵒ Rich Detail ᵒ Scriptable log format ᵒ Fine Grained Policy Based Auditing Security ᵒ Brute Force Attack Protection account lock issue blocking ᵒ Authentication Offloading more secure log-in with sso

10 SSL / TLS

11 Various SSL focused attacks in last years Heartbleed OpenSSL only, stealing cert private key, passwords,.. from server memory read, existed very long time more then 2 years - need to replace private key even after bug fix Beast TLS 1.0, browser exploit needs js ( via CSRF for example ), steals ssl session id - use TLS 1.1/1.2 only Crime using optional https compression - DEFLATE, browser exploit needs js, Google SPDY has compression by default don t use compression or old browser ver with SPDY like Google, Firefox Poodle SSL 3.0 & TLS 1.0 with fall back on, man-in-the-middle, killed SSL 3.0 disable SSL 3.0 or use TLS_FALLBACK_SCSV with TLS 1.0 Freak weak ciphersuite export ON feature forced to use by US gov, can be used to force export of strong ciphers too, man-in-the-middle forcing to use RSA <512 to export turn off ciphersutie export SSL renegotiation older SSL/TLS renegotiation vuln, man-in-the-middle injects key renegotiation, acts as a client not server old fix was to turn off renegotiation on server, now patched.

12 Qualys SSL Labs Report

13 Latest Cipher Support AES-GCM/SHA-2 ᵒ Front-end on MPX (PX, N3) ᵒ TLSv1.2 only. ECDHE ᵒ Back-end on MPX (PX, N3) ᵒ ECDHE on front-end

14 Security Improvements TLS_FALLBACK_SCSV Support (Poodle) ᵒ ᵒ ᵒ ᵒ Signaling-Cipher-Suite-Value (SCSV) TLS clients should include the value {0x56, 0x00} (TLS_FALLBACK_SCSV) in ClientHello.cipher_suites. TLS servers, whenever an incoming connection includes {0x56, 0x00} in ClientHello.cipher_suites, compare ClientHello.client_version to the highest protocol version supported by the server. If the server supports a version higher than the one indicated by the client, reject the connection with a fatal alert (preferably, inappropriate_fallback(86) use of TLS_FALLBACK_SCSV will ensure that SSL 3.0 is used only when a legacy implementation is involved, attackers can no longer force a protocol downgrade. Secure Renegotiation (RFC 5746) ᵒ MPX/SDX, VPX, FIPS (FW2.2) Disable SSLv3 by default in 11.0 ᵒ Via SSL profile *

15 DEFAULT Cipher Alias Re-ordering (Front-end) Old Cipher Re-Order List SSL3-RC4-MD5 (0x0004) SSL3-RC4-SHA (0x0005) SSL3-DES-CBC3-SHA (0x000a) TLS1-AES-256-CBC-SHA (0x0035) TLS1-AES-128-CBC-SHA (0x002f) SSL3-EDH-DSS-DES-CBC3-SHA (0x0013) TLS1-DHE-DSS-RC4-SHA (0x0066) TLS1-DHE-DSS-AES-256-CBC-SHA (0x0038) ciphers New Cipher Re-Order List TLS1-AES-256-CBC-SHA (0x0035) TLS1-AES-128-CBC-SHA (0x002f) TLS1.2-AES-256-SHA256 (0x003d) TLS1.2-AES-128-SHA256 (0x003c) TLS1.2-AES256-GCM-SHA384 (0x009d) TLS1.2-AES128-GCM-SHA256 (0x009c) TLS1-ECDHE-RSA-AES256-SHA (0xc014) TLS1-ECDHE-RSA-AES128-SHA (0xc013) ciphers

16 Integration with Thales nshield Network-attached hardware security module (HSM) FIPS Level 3 and Common Criteria EAL 4+ certified Protects and manages private keys Identity-based authentication mechanisms Strong separation of duties FIPS Level 3 Tamper response mechanisms - mechanisms that wipe out keys and critical security parameters if the cover is opened or if physical probing is detected SDX VPX MPX

17 Web Application Firewall

18 Fixing the Code is expensive For Every Application Change Every 1000 lines of code averages 15 critical security defects US Department of Defense Develop Deliver Secure Develop Secure Deliver

19 More Trends 75 % of attacks are driven by financial motivations Almost 80% of the initial intrusions were relatively easy

20 Where Is the Application Firewall Deployed? Application Attacks Blocked Legitimate traffic allowed through Web App Users Internet Network Firewalls Blocks dozens of day zero attack vectors o Includes CSRF, xpath Injection, XML attachment checks Bi-directional inspection: advanced attack prevention SSL traffic supported Sustained protection up to 40 Gbps ICSA certified OWASP 10 Citrix NetScaler Application Infrastructure

21 ICSA Labs Web Application Firewall (WAF) Certification ICSA Labs Web Application Firewall (WAF) certification requirements structured with these statistics in mind Testing divided up into 6 areas - Documentation review, Functional Security, Product Functionality, Logging, Administration, and Persistence Most of the testing is in the Functional Security and Product Functionality area Verify security policy enforcement, protection and prevention against web-based attacks, CSRF protection Verify the WAF product will hide internal application structure and can accommodate application changes Require WAF products support the Positive Security model and has Active Learning support Subject the WAF product to a number of attacks including various exploits, port scanning, DoS, predictable sequence numbers, etc. Verify the admin interface is secure and not susceptible to all of the areas outlined above

22 Application Firewall Characteristics Deep Stream Inspection Bi-directional analysis Header and payload inspection Full parsing Semantic extraction Sessionization Strong Hybrid Security Model Positive & Negative Security Model Signature scanning Unique Response Tagging Functionality Easy Deployment Learning Mode to ease deployment Visualizer to manage rules HTML/XML

23 NetScaler Advantage: Hybrid Security Model Signatures for known attacks Negative Model Easy deployment, Quick PoC Checks request headers (URL, cookies, etc) and body (form fields) Integrates with scanning tools Wizard to ease configuration Mix-and-match with positive security Positive Model Defense against zero-day attacks Defense against custom attacks Strongest security posture Learning mode

24 Signature Maintenance/Updates Based on SNORT Partnership with SourceFire to provide signatures Open format for signature files Signature versioning Automatic identification of new signatures

25 Integrates with Scanner tools Run periodic scans Protected website

26 3 rd party Vulnerability Tools integration Cenzic Qualys Whitehat IBM AppScan TrendMicro Resources: blogs.citrix.com, Citrix Ready links

27 Integrated HTML and XML Security XML Security Threat Protection Content Validation Data Leak Prevention Reporting and Monitoring WSDL/Schema validation Secures all flavors of XML Applications Single devices for XML, HTML and Web 2.0 applications security Check types are categories as HTML, XML or Common Block, Log and Statistics can be enable for all checks.

28 PCI Compliance Data Leak protection Credit Card Number Pattern Matching Personal Identity Info Reporting and Logging capabilities for Audits Analyze AppFirewall configuration against PCI-DSS requirements Executive summary of AppFirewall configuration

29 NetScaler Web Application Firewall Differentiatons

30 Citrix Web AppFirewall Differentiation Pay as you grow capability Broadest lineup of standalone AppFirewalls on MPX Increased performance: 500 Mbps to 40 Gbps (basic) throughput All fully eligible for upgrades to NetScaler-Platinum/Integrated software - comprehensive Superior price/performance and feature advantage

31 NetScaler Security Announcements - NetScaler Application Firewall recognised as the leader by NSS labs. - The most compelling value to security effectiveness of any products tested.

32 NetScaler Security Announcements After the NSS labs report Code changes in AppFW drove a performance increase of % Available now in latest 10.5.e or 11 build. Other enhancements include location based detection and protection plus request capturing (trace) for blocked requests.

33 NetScaler Security Announcements AppFirewall Basic Tput (Gbps) Prior e / 11.0 MPX MPX MPX MPX MPX MPX MPX MPX % to 200% improvement MPX MPX MPX MPX MPX MPX MPX MPX

34 Additional Security Features L4 DOS/DDOS L7 DOS/DDOS TCP & HTTP profiles Content Filtering Priority Queuing Sure Connect Surge Protection Rewrite Responder Rate-Limiter

35